On July 8, Microsoft issued a security update for Active Directory Domain Controllers for Windows Server versions prior to 2025. This update includes a change to the Microsoft RPC Netlogon protocol, which improves security by tightening access checks for a set of RPC requests.
TrueNAS (and other Samba implementations) running as domain members in these environments will be impacted by this change if they are configured to use the ‘ad’ idmapping backend.
The fix for this TrueNAS change is documented in NAS-136590: Windows security update to Active Directory Domain Controllers breaks idmap_ad in winbindd.
Several updates will fix this issue in different TrueNAS release trains. Only Active Directory-attached TrueNAS systems should update. If the system does not use the ‘ad’ mapping, there is a choice to update or not. The specific updates planned are:
-
TrueNAS 13.0 users will update to TrueNAS 13.0-U6.8
-
TrueNAS Electric Eel (24.10) users will update to TrueNAS 24.10.2.3. Dragonfish and prior releases will need to update to Electric Eel TrueNAS 24.10.2.3.
-
TrueNAS Fangtooth (25.04) users will update to TrueNAS 25.04.2 which will include many other fixes.
TrueNAS 24.10.2.3 and TrueNAS 13.0-U6.8 are planned for Monday, July 14th.
We are currently in the final test of TrueNAS-25.04.2, which will also address this issue and is expected to be delivered the week of July 21st. The current nightly image is available in an emergency.
If you experience any issues related to the Microsoft update, please comment and let us know if the updates resolve the issue.